Update V8 to r6122 (2.5 branch) as required by Chromium 9.0.597.55 Change-Id: Ia29dad551dd0cd7fa3c4d5084421f91d8b210271

commit: db5a90a88cfcddb042912799e872037c6548b8a3 [log] [tgz]
author: Ben Murdoch <benm@google.com> Thu Jan 06 18:27:03 2011 +0000
committer: Ben Murdoch <benm@google.com> Thu Jan 06 18:27:03 2011 +0000
tree: 9814507a4747f3a2a18f373136c8afc07833e296
parent: 84594822a6e163d90d09c0b2a1f0e6502adf4686 [diff] [blame]
diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc
index f5ab357..e0e016c 100644
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc

@@ -7751,6 +7751,13 @@
   __ test(tmp2.reg(), Immediate(kSmiTagMask));
   deferred->Branch(not_zero);
 
+  // Check that both indices are valid.
+  __ mov(tmp2.reg(), FieldOperand(object.reg(), JSArray::kLengthOffset));
+  __ cmp(tmp2.reg(), Operand(index1.reg()));
+  deferred->Branch(below_equal);
+  __ cmp(tmp2.reg(), Operand(index2.reg()));
+  deferred->Branch(below_equal);
+
   // Bring addresses into index1 and index2.
   __ lea(index1.reg(), FixedArrayElementOperand(tmp1.reg(), index1.reg()));
   __ lea(index2.reg(), FixedArrayElementOperand(tmp1.reg(), index2.reg()));
commit	db5a90a88cfcddb042912799e872037c6548b8a3	[log] [tgz]
author	Ben Murdoch <benm@google.com>	Thu Jan 06 18:27:03 2011 +0000
committer	Ben Murdoch <benm@google.com>	Thu Jan 06 18:27:03 2011 +0000
tree	9814507a4747f3a2a18f373136c8afc07833e296
parent	84594822a6e163d90d09c0b2a1f0e6502adf4686 [diff] [blame]